Data protection is increasingly becoming an innovation barrier

• More than two thirds of companies have already stopped innovation projects due to data protection requirements or uncertainties.
• The European General Data Protection Regulation (GDPR) has been in force since 25 May 2018.

Berlin, 23 May 2025 – More than two-thirds of companies in Germany feel that data protection requirements are holding them back. Seventy per cent have already stopped at least one innovation project due to data protection requirements or uncertainties about the application of current law. A year ago, this figure was 61 per cent. As in the previous year, 17 per cent say they have abandoned innovation plans once. In 35 per cent of companies, this has already happened several times (2024: 27 per cent), and in 18 per cent even frequently (2024: 17 per cent). These are the findings of a representative survey of 605 companies with 20 or more employees in Germany, commissioned by the digital association Bitkom. The figures were published by Bitkom on the occasion of the seventh anniversary of the European General Data Protection Regulation (GDPR), which has been in force since 25 May 2018. 

"Data protection has become the number one barrier to digitalisation in Germany," says Bitkom President Dr Ralf Wintergerst. "Due to its high complexity, the large number of supervisory authorities, and their differing interpretations of data protection requirements, companies are unsettled and too often refrain from pursuing data-driven digital innovations. 

For Germany and Europe to remain at the forefront of future technologies such as artificial intelligence or digital platforms, we need a new approach to data protection: a high level of protection for truly sensitive data, and pragmatic, innovation-friendly rules for all other data." 

Current plans by the European Commission to extend exemptions from the obligation to maintain records of processing activities to larger companies are, in Bitkom’s view, insufficient. "What is really needed are broader reductions in documentation and reporting obligations, as well as a stronger consideration of technological developments, for example in artificial intelligence," says Wintergerst. At present, overlapping reporting obligations – for example under the GDPR, the AI Act, or the Data Act – are creating significant bureaucratic burdens, particularly for small and medium-sized enterprises. 

The high level of documentation required, including records of processing activities and data protection impact assessments, ties up resources that are urgently needed for innovation. 

"The coalition agreement’s proposal to consolidate data protection supervision under the Federal Commissioner for Data Protection offers an opportunity to achieve urgently needed, uniform nationwide interpretation of the GDPR," says Wintergerst. "This could enable us to align data protection more closely with actual risks rather than theoretical ones, and to consider not only data protection itself but also the potential loss of individual and societal value created through data use."